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(57) Abstract 



A dual-mode communication system made up of an AMPS network and a GSM network provides for communication to and from 
dual-mode terminals equipped with corresponding SIM cards. The mobile terminals store a terminal-based ESN. and the SIM cards store 
a SIM-bosed ESN and MIN. The dual^ode system uses the terminal-based ESN and MIN for registration in the AMPS networlc For 
authentication purposes, however, the dual-mode system uses the SIM-based ESN for key-based audientication in the AMPS network. 
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SUBSCRIBER VALIDATION METHOD IN CELLULAR 
COMMUNICATION SYSTEM 

Technical Field 

This invention relates to the field of conununication systems, and 
5 more particulary to a method of preventing unlawful use of a mobile 
terminal operating in a conununication system. 

Background 

In mobile teleconmiunication networks, such as the widely used 

10 cellular networks, subscribers with mobile terminals, for example, a 

portable mobile terminal, are identified within the network through one or 
more ID codes. Generally, a termmal-specific ID code identifies the mobile 
tcraunal, and a subscriber-specific ID code identifies a subscriber to the 
network. At predefined intervals, such as when placing a call, the mobile 

15 terminal transmits the ID codes to the network. Before establishing the call, 
the network verifies the authenticity of die IDs using one of a variety of 
validation procedures. Once die ID codes are verified, die network allows 
die call to proceed. Odierwise, die network dralines die calL 

In some instances, however, die integrity of die validation procedure 

20 may be compromised, resulting in unaudiorized use of die network, for 
example, when the mobile terminal is stolen. Odier instances of 
unaudiorized use may occur by acquirmg die ID codes illegally ft-om die 
mobile terminal, for example, by readmg die stored IDs from die termmal or 
uiterceptmg diem durmg transmission. Consequently, diere is demand for 

25 preventing unaudiorhsed use of the network. 

The validation procedure in an analog communication network 
known as Advanced Mobile Phone System (AMPS), which is employed in 

1 
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North America under EIA/TIA SS3A standard, includes a registration 
process that relies on two ID nunibers: an electronic serial nuniber (ESN), 
which is a terminal sp^ific ID and a mobile identification number (MIN), 
which is a subscriber specific ID. The ESN is a 32-bit hardware-based 
S serial nwhber composed of two parts: an 8-bit Manufacturer Code that 
identifies the maker of the mobile temiinal^ and a 24-bit Identification 
Number that is unique to that mobile for the given Manufacturer Code, The 
MIN corresponds to a user telephone number assigned when a subscriber 
account is opened. Both the ESN and MIN are stored in the mobile 

10 terminal, usually in a non-volatile memory such as an EEPROM (electrically 
erasable programmable read-only memory). Under the AMPS specification, 
at specified instances, such as i^on power up, a mobile terminal operating 
in the AMPS system transmits the ESN and MIN to the network for 
registration. In other mstances, the mobile terminals transmit the ESN and 

IS MIN when placing a call or when transitiomng from one network to another. 

Some of the early installed AMPS systems use a simple and 
rudunentary subscriber validation process that can subject the network to 
frequent instances of unauthorized use. The subscriber validation process in 
the early AMPS systems consists of verifymg whether the transmitted ESN 

20 and MIN from the mobile ternunal are registered in the network as 

corresponding to each other or not. Also verified is whether the received 
ESN is listed in a black list of rq)orted stolen terminals. Upon verification 
of a non-black listed ESN and its correspondence with the received MIN, the 
network would allow (he call to proceed. 

25 Not long ago, the cloning of stolen terminals, the process of reading 

the ESN of an authentic paying subscriber from the EEPROM, was a 
common practice for unauthorized use of the termmal. One conventional 
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measure for preventing unlawful reading of the ID codes encrypts the codes, 
before writing them into the mobile terminal. The terminal then un-encrypts 
the codes before transmitting them to the network. Because the ID codes are 
transmitted un-encrypted» however, this measure does not provide any 
S protection against unauthorized over-the-au: interception of the codes during 
transmission to the network. Therefore, a more elaborate validation 
process was devised to insure against the unauthorized interception of the ID 
codes. 

More advanced AMPS systems use a key-based authentication 

10 procedure to validate the generated calls. Under this arrangement, the ESN 
and MIN are keyed with a hidden Authentication key (A-key), which is 
known to the network operator. In authenticating AMPS systems, a Shared 
Secret Data (SSD) is used in the authentication process. Under a procedure 
described in EIA/TIA 553A, the SSD is derived from the A-key and the 

IS ESN. Based on the SSD, an authentication algorithm in the terminal 

produces a terminal authentication result (AUTHR), which is transmitted to 
the network along with the ESN and MIN. Upon receipt, the network 
registers the terminal, and based on the received MIN, produces a network 
generated AUTHR. The network then determines whether the terminal 

20 generated AUTHR matches the network generated AUTHR. If so, the 
network allows the call to proceed. In this way, the key-based 
authentication process eliminates or substantially reduces the risk of 
fraudulent over-the-air interception of the IDs. 

A similar key-based authentication process is used in Global System 

25 for Mobile Conununications (GSM) radiotelephone system, which is 
currently in use in Europe and other parts of the world. In the GSM 
systems, a Subscriber Information Module (SIM) card is inserted into the 
mobile terminal for providing subscriber identification, billing information 

3 
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and other infonnation concerning the operation of the mobile terminal. 
Each GSM mobile terminal has a terminal-based International Mobile 
Equqimait Identity (IMEI), which is stored in the GSM terminal. Each 
GSM subscriber is identified by a SIM-based International Mobile 
5 Subscription Identity (IMSI) belonging to a specific SIM card. TlielMSI, 
which corresponds to AMPS MIN, is also referred to as die SIM-ID. Upon 
a subscriber aH)Iication, the system operator issues a SIM-ID number and a 
SIM card that when msertai in die GSM mobile terminal, enables the 
subscriber to use the services provided by the operator. In this way, the 

10 same GSM terminal can be used with any SIM card inserted into the GSM 
mobile termmal. 

Under GSM authentication processes, a GSM authentication 
algorithm keys the SIM ID widi a hidden authentication key. known as Ki, 
which corresponds to AMPS A-key, Sunilar to the AMPS authentication 

IS process, the terminal and network generated audientication results are 
compared for authenticating each call. Unlike AMPS audientication 
process, whidi uses the termmal-specific ESN, the GSM authentication 
process uses only die SIM-based Ki, and the subscriber-specific SIM-ID. 
Thus, a valid SIM card may be used widi any valid GSM mobile termmal, 

20 because the GSM specification does not Imk a terminal-specific IMEI 
validation process to a subscriber specific IMSI validation process. 

With the introduction of dual-mode mobile phones that operate under 
the GSM-1900/AMPS dual-mode environment, a removable SIM card 
storing die MIN allows subscribers to easily move the AMPS subscription 

25 data fi'om one physical mobile temunal to anodier, without network 

assistance. As such, die dual-mode system provides for the capability of 
handlhig changes in die ESN diat may occur when the SIM card is removed 
from one mobile terminal and inserted into another by associating each MIN 
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with multiple ESN's or a range of ESN's* Because the early AMPS 
networks do not perform a key-based authentication* the association of a 
single MIN with multiple ESNs increases the possibility of fraud in the non- 
authenticating AMPS networks. 

5 In order to diminish the possibility of fraud in the AMPS networks, it 

would have been desirable to incorporate the ESN and the MIN together on 
the SIM card, where a set of SIM-based MIN and SIM-based ESN could 
have been transmitted together. This SIM-based ESN could also have been 
used to generate the authentication result AUTHR, thereby safely linking the 

10 ESN and MIN values together. However, current U.S. Federal 

Communications Commission (FCC) regulations require that a terminal- 
based ESN, which is embedded, i.e.. hard wired, to the terminal, be 
transmitted in the system access response from the mobile terminal to the 
network. In fact, the GSM-1900/AMPS Dual^Mode specification has 

IS reserved a secondary ESN on the SIM card. However, the specification is 
silent as to how this secondary ESN may be used in the authentication 
process. The Personal Conununication Systems Universal Identity Module 
(PCS UIM) Specification allows for both a mobile terminal-based and a 
UIM/SIM-based ESN. Given the FCC requu:«nents, however, the PCS 

20 UIM does not currentiy provide any way to use the SIM-based ESN. This 
specification has been written to support a SIM based ESN authentication if 
and when the FCC regulation is changed to allow such authentication. 

Moreover, if the ESN is changed as a result of inserting a new SIM 
card from one terminal into another, the SSD must be updated to 

25 accommodate the change in the ESN. The algorithm for updating the SSD is 
complicated, taking a substantial amount of time, usually in the range of 4-5 
seconds, each time the SSD is to be updated. 



5 
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In view of the current FCC regulation, therefore, there exists a need 
for providing a fast authentication process that supports SIM cards in the 
dual-mode conununication system, while reducing the risk of fraud in the 
early non-authenticating systems and maintaining backward compatibility 
5 with existing systems. 

Summary 

Briefly, the present invention is embodied in a dual-mode 
communication system within which a dual-mode terminal equipped with a 
SIM card operates. The dual-mode system includes a first network, such as 

10 the AMPS network, and a second network, such as the GSM network. The 
validation method of the present invention uses a terminal-based ESN for 
registration in the first network, a SIM-based ESN for a key-based 
authentication process in the first network, and a non-ESN key-based 
authentication process m the second network. The dual-mode terminal 

15 stores the terminal-based ESN. and the SIM card stores the SIM-based ESN. 

Brief Description of Drawings 

FIG. lis a block diagram of a dual-mode communication system that 
advantageously incorporates the present invention. 
20 FIG. 2 is a block diagram of a dual-mode terminal that operates in 

the system of FIG. 1. 

FIG. 3 is a diagram of a protocol for establishing a call in an AMPS 
network of the conununication system of FIG. 1. 

FIG. 4 is a diagram of validation Words communicated during the 
25 authentication and registration processes of the AMPS network. 

FIG. 5 is a block diagram of an inter-working function block used in 
the dual mode conununication system of FIG. 1 . 
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Detailed Description 

Referring to FIG, 1, a block diagram of a dual-mode communication 
system 10 that advantageously incorporates the present invention is shown. 
In an exemplary embodiment, it is assumed that the dual-mode 
5 communication system 10 supports both the digital GSM-1900 and analog 
AMPS standards. As such, the system 10 includes a GSM network 12 and 
an AMPS network 14, which in the exemplary embodunent of system 10 
interface with each other via an inter-working function (IWF) block 16. a 
detailed description of which is given in connection with FIG. 5 below. 

10 Because the modes of operation of GSM and AMPS networks 12 and 14 are 
well known, the dual-mode communication system 10 is described to the 
extent necessary for understanding the present invention. 

In essence, all cellular networks, including GSM and AMPS 
networks 12 and 14, have a sunilar structure, being complete telephone 

IS networks in their own right, with dedicated exchanges within an 

interconnected network, and with base stations connected to the exchanges. 
There are, however, many ways of planning a cellular network m practice, 
the optimum arrangement for any particular application being dependent 
upon the capacity required, cost of implementation, capabilities of the 

20 chosen manufacturer's equipment, etc. 

Both the GSM and AMPS networks 12 and 14 include fixed 
networks, which perform several fundamental tasks, including connecting all 
base stations covering corresponding cells or clusters to each other for the 
purpose of communicating signals and messages to and from subscribers 

25 operating in their respective network. The fixed network of each one of the 
GSM and AMPS networks 12 and 14 has one or more GSM and AMPS 
Mobile Switching Centers (MSG) 18 and 20, respectively, that are 
responsible for directing traffic around their respective networks. The 
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MSCs 20 and 18 are associated with corresponding home location registers 
(HLR) 26 and 28 and visitors location registers (VLR) 30 and 32. It would 
be appreciated that the VLRs and HLRs need not be physically associated 
with the location of their MSC, since the fixed network gives full 

5 connectivity. Generally, the MSCs 18 and 20 are connected to a public 

switching telephone network 22 (PSTN), to give connectivity between fixed 
landline subscribers and mobile subscribers. 

The mobile subscribers of the system 10 each carry a mobile 
terminal, which in the preferred embodiment of the invention comprises a 

10 dual-mode terminal 24 capable of operating in the GSM and AMPS 

networks 12 and 14. As described later in detail, the dual-mode terminal 24 
includes a removable Subscriber Information Module (SIM) card, similar to 
the one used by an existing GSM mobile terminal which carries subscriber 
identification, billing information and other information concerning the 

IS operation of the dual-mode terminals. 

For the GSM and AMPS networks 12 and 14, the dual-mode system 
10 performs independent validation procedures involving a key-based 
authentication process. In the GSM network 12, the authentication process 
is performed by an authentication center (AUG) block 34, which may be a 

20 part of the GSM HLR 28. As briefly described in the background section of 
the application, the authentication process in the GSM network 12 compares 
a terminal generated AUTHR with a network graerated AUTHR to validate 
the GSM call. As is conventional, an equipment identity register (EIR) 
block 38 determines whether a terminal is black listed. 

25 In the AMPS network 14, the validation procedure includes a 

registration process and a authentication process, which, similar to 
authentication process of the GSM network 12, is a key-based authentication 
process. The authentication process in the AMPS network 14 is performed 

8 
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by an AUG block, which is usually associated with the AMPS HLR of the 
subscriber's •'home" AMPS system. For the purpose of describing the 
present invention, the AUG block and the subscriber's "home** HLR are 
described below as part of the IWF block 16. 
5 According to the present invention, the dual-mode terminal 24 stores 

a first ESN (hereinafter referred to as the terminal-based ESN), which is 
specific to the dual-mode terminal 24. The SIM card stores a second ESN 
(hereinafter referred to as the SIM-based ESN), which is specific to the SIM 
card. Along with the SIM-based ESN, the SIM card also stores a MIN, 

10 which is assigned to the subscriber by the communication service provider. 
The dual-mode terminal 24 uses the terminal-based ESN and the MIN for 
the registration process, and it uses the SIM-based ESN for the AMPS key- 
based authentication process. Under this arrangement, the dual-mode 
terminal 24 also operates compatibly with the non-autbenticatmg AMPS 

15 systems by using the existmg registration process, while supporting the key- 
based authentication processes of the AMPS and GSM networks 14 and 12. 

The GSM network 12 uses a base station controller (BSC) 40 for 
controlling base stations, covering corresponding clusters or cells. The 
primary ftmction of the BSG 40 is radio resource management. For 

20 example, based on reported received signal strength at the dual-mode 

terminal 24, the BSG 40 determines whether to initiate a hand over. The 
BSC 40 communicates with the MSG 18 using a standard interface. The 
BSC 40 controls a group of GSM base stations, known as base transceiver 
stations (BTSs) 42. Each BTS 42 mcludes a number of TRXs (not shown) 

25 that use digitally encoded bursts over uplink and downlink RF channels, to 
serve a particular common geographical area. Therefore, flie BTSs 42 
prunarily provide Oie RF links for the transmission and reception of data 
bursts to and fi-om the dual-mode terminal 24 within its designated cell. It 
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should be noted that although the exemplary embodiment is described in 
terms of the GSM network 12, the dual-mode system 10 may include various 
other TDMA or CDMA digital networks* such as those based on the IS- 136 
or IS-95 standards, as well as other analog networks, such as those based on 

5 the ETACS standard. 

An AMPS national switching network can consist of over 20 
MTSOs, one of which is shown as block 44 in FIG» 1 . Each MTSO 44 
consolidates the correspondmg functionalities of the AMPS MSG 20, VLR 
30, HLR 26 and AUG 36, which are shown as separate blocks in FIG, L 

10 The MTSOs 44 are digital exchanges with a distributed control architecture, 
especially adapted for operation in the cellular environment. The MTSOs 44 
are also linked together with digital circuits forming a fiilly interconnected 
network. The signaling between base stations and switches, and between 
switches, is usually proprietary in namre, and is carried m time slots on the 

15 digital circuits. 

In the exemplary AMPS network 14, sets of cells are connected in 
turn to the MTSO 44. Unlike the GSM network 12, in the AMPS network 
14 and other analog cellular networks, the base station controller is a part of 
die AMPS MSG 20. For much of the network, base stations 46 are 

20 organized in a 7-cell or 12-cell repeat pattern with omni-directorial coverage 
from each base station. Most base stations 46, which are connected to the 
AMPS MSG 20 by digital (2 Mbps) leased lines, have between 20 and 30 
voice channels, with one signaling, or control, chaimel carrying all paging 
and access functions. 

25 Referring to FIG. 2, a block diagram of the dual-mode terminal 24 is 

shown. Through an antenna 48, the dual-mode terminal 24 receives and 
transmits properly modulated radio frequency signals in a well known 
manner. Depending on the operating mode, an AMPS/GSM switch 50 
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couples the antenna 48 to either a GSM RF section 52 or an AMPS RF 
section 98. 

The GSM RF section 52 includes a well known GSM-1900 TX Logic 
block 54 and a well known GSM-1900 RX Logic block 56, which are 
5 selectively coupled to the antenna 48 via a GSM RX/TX switch 58. 

Similarly, the AMPS RF section 98 includes a well known AMPS TX Logic 
block 60, a Power Amplifier block 62 and a well known AMPS RX Logic 
block 64, which are coupled to the antenna 48 via a well known duplex filter 
66. 

10 By executing a program stored in a flash memory 70, a micro- 

controller 68 controls the overall operation of the dual-mode terminal 24, 
including the GSM and AMPS RF sections 52 and 98. For example, the 
micro-controller 68 controls the operation of a frequency synthesizer 72 that 
provides the operating frequencies of the GSM and AMPS RF sections 52 

IS and 98. In a well-known manner, the micro-controller 68 also interfaces 
with a serial I/O uiterfooe 74, a keypad 76, a display 78, as well as a 
speaker 80 and a microphone 82 via a DSP/audio control block 84. 

As described above, the dual-mode terminal 24 has a termmal-based 
ESN, which is stored in a terminal EEPROM 86. Through a SIM interface 

20 88, the dual-mode terminal is equipped with a removable SIM card 90, 
which operates under the control of a SIM controller 92 executing a SIM 
operation program stored m a SIM memory 94. A SIM EEPROM 96 stores 
many subscriber related information as well as the SIM-based ESN and 
MIN. In the AMPS network 14, the MIN allows the calls to be accepted or 

25 received as well as for allowmg the billmg of the call charges to a particular 
subscriber. 

Unlike the fixed public telephone network (PSTN), in the GSM and 
AMPS networks 12 and 14, -roaming- subscribers could be found anywhere 

11 



WO00A)1187 



PCT/SE99/01112 



within the network, which in the case of several systems can extend over 
national borders. Therefore, a very large amount of signaling overhead is 
required over a control channel (CC) to allow subscribers to call or be called 
within the network. The AMPS network 14 sets up each dual-mode terminal 
5 on a free channel ia a cell when it calls, or is caUed by the local base 
station. 

FIG. 3 shows a diagram of a signaling arrangement for granting a 
particular pair of voice channels to the dual-mode terminal 24, while it is 
operating in fbs AMPS network 14. The signaling protocol involves call 

10 request, handshake and connect procedures. The AMPS network 14 uses 
four RF channels, namely a forward control channel (FCC), a reverse 
control channel (RCC), a forward voice channel (FVC), and a reverse voice 
channel (RVQ, to establish a call. The FCC is a globally accessible control 
channel used by the AMPS network 14 to continuously transmit a 

1 S synchronous control data stream from the base stations 46 to the dual-mode 
terminal 24. Conversely, the RCC is a control channel shared by the dual- 
mode terminal 24 and other terramals to asynchronously send information 
back to the AMPS network 14. FVC and RVC are dedicated voice channels 
to and firom the dual-mode terminal 24, respectively, carrying speech and 

20 data information between tiie terminal 24 and network 14. While data is 

transmitted on these voice channels durmg a call, the speech path is muted to 
prevent what would appear as interference to the speech circuit. 

Operationally, when the dual-mode terminal 24 is operating in the 
AMPS network 14, its data is retrieved from the IWF 16 and stored in the 

25 VLR 30 for the MSG 20. which serves the cells in the area where the dual- 
mode terminal 24 is located. The IWF 16 notes the identity of the current 
VLR 30 and the fiwst that die dual-mode terminal 24 is active. Incoming 
calls for the dual-mode terminal 24 interrogate the IWF 16, based on 
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knowledge of the terminal's MIN and where each MIN is stored. If the 
dual-mode terminal 24 is active, the call is routed to the appropriate VLR 30 
for paging the dual-^mode terminal 24. Periodically (typically every 15 
muiutes), the dual-mode terminal 24 re-registers itself to let the AMPS 

5 network 14 know that it is still active and allow the system to determine 
where within its cells the terminal is located. 

In the AMPS network 14, the MSG 20 periodically issues registration 
commands to all dual-mode terminals, mcluding the dual-mode terminal 24, 
listening to the MSC's FCC. As explained above, under the present 

10 invention, the dual-mode terminal 24, when operating in the AMPS network 
14, registers in the network using the MIN and the terminal-based ESN. As 
such, after determining a proper time to register, the dual-mode terminal 24 
builds and transmits a registration response to the MSG 20. This 
registration response mcludes Words A and B, which mclude the MIN, and 

15 Word G, which includes the terminal-based ESN, The formats of Words A, 
B, and C are shown in Fig« 4. 

For the authentication process under the present mvention, however, 
the dual-mode terminal 24 also transmits an AUTHR using an 
Authentication Word C, which is derived based on the SIM-based ESN and 

20 a hidden SSD. The format of this additional Word C is also shown in 

Figure 4. AUTHR is computed by sending an Authentication Data request 
to the SIM card 90, which executes its mternal AMPS Authentication 
algoridun (usmg the SSD and SIM-based ESN) and returns the result to the 
dual-mode terminal 24* The dual-mode terminal 24 transmits the MIN, 

25 AUTHR, terminal-based ESN to the VLR 30 via the cell site 46 and AMPS 
MSG 20. The VLR determmes which AMPS network (IS-41) node 
corresponds to this dual-mode terminal's home system. The VLR then 
passes the data to that node. 
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Referring to FIG. 5, a block diagram of the IWF block 16 is shown. 
The IWF block 16 is the bridge between the AMPS IS-41 network 112 and 
the GSM SS7 network 1 10. In the exemplary embodraient of system 10, the 
IWF block 16 is loosely associated with the GSM network 12. Usmg a 
5 GSM interface 102. the IWF block 16 acts as a standard GSM VLR 1 14, 
Using an AMPS mterface 104, the IWF block 16 acts as a standard AMPS 
HLR 1 16. When data needs to cross the boundary between the AMPS and 
GSM networks, an Interworking Function 100 is used to convert the data 
from the format of the supplying network into the format expected by the 

10 target network. The AMPS HLR 116 portion of the IWF block 16 has an 
associated AMPS Authentication Center Database 106, which is used for 
validating both the terminal and subscriber ID codes supplied by the 
terminal 24 during registration and authentication. This database contains 
records correspondmg to each valid subscriber for its system. Each such 

15 subscriber record contams the values for the SIM-based MIN, A-K^, SSD, 
the termmal-based ESN, roammg mformation. such as in which AMPS 
system the temunal is currently active, and additional parameters, such as a 
Customer Service Profile, that defines terminal supported features. In the 
exemplary embodiment of the present invention, each subscriber record 

20 stored in the AUC database 106 contains an additional field for the SIM- 

based ESN. These subscriber records can be added, examined, updated, and 
deleted, and the IWF block 16 functionality fine tuned, through a user / 
operator interface 108. 

In the prefcncd embodunent of the invention, the hcmie AMPS 

25 system node is the AMPS HLR 1 16 portion of the IWF block 16 that is also 
connected to the dual-mode terminal's home GSM network 12. The IWF 
block 16 verifies, via its mtemal database 106. that the ESN is not 
blacklisted. According to the present intention, the AMPS HLR 1 16 portion 
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of the IWF block 16 then computes its own version of AUTHR, using its 
copy of the SSD and SIM-ESN values fetched from the AUG database 106. 
If the IWF-coDq)uted AUTHR value matdies the tenninal generated 
AUTHR value, the GSM VLR 114 portion of the IWF block 16 informs the 

S terminal's home GSM HLR 28 that the terminal has successfiilly registered 
with the AMPS MSG 20, and passes a Authentication Re^tration success 
message back to the AMPS VLR 30. The VLR 30 processes the success 
message, validating the dual-mode temunal 24 within its database, then 
passes the success message along to the dual-mode terminal 24, via the MSG 

10 20. The dual-mode terminal 24 accepts the success status, updates internal 
flags and counters, and resumes listening for pages from the AMPS MSG 
20. 

Therefore, in the present invention, the dual-mode tenninal 24 uses 
the tominal-based ESN hi the standard AMPS Serial Number Word C. for 

15 registration, but uses the SIM-based ESN to generate the AUTHR value 
returned hi the standard AMPS Authentication Word G, for the 
authentication process. The SIM-based ESN can be safely provided to the 
system operators just as are today's A-Key and Ki/Ke values, thereby 
reducuig fraud m the dual-mode communication system 10. The SIM-based 

20 ESN could act as a second hidden key, like the A-Key, making an 

authentication algorithm, deemed safe today, vimially impossible to crack. 
In the preferred embodiment, the SIM-based ESN mcludes 32 bits, resulting 
m 64 out of the 128 AUTHR mput bits bemg secret data. Unlike the 
terminal-based ESN, the SIM-based ESN does not require any fixed sized 

25 subfields, namely the 8-bit manufacturer code and the 24-bit Identification 
Number. Rather, the 32-bit SIM-based ESN can be generated by the 
operator or SIM card manufacturer by whatever method they choose. Also, 
unlike the terminal-based ESN, the SIM-based ESN does not need to be 
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unique for each SIM card although in practice a large number of SIM-based 
ESN's should be used to increase randomness and reduce predictability. 
The present invention also maintains compatibility with the non- 
authenticating AMPS systems, for example, allowing system operators to 
S track hardware problems by manufacturer, while complying with the FCC 
guidelines. Moreover because no SSD updates need to be made, the present 
invention reduces system-mobile communications when a new dual-mode 
terminal is used, as the dual-mode terminal ESN is no longer a part of the 
validation process. The user can unmediately use a new dual-mode terminal 
10 in an authenticatuig AMPS system with this approach, instead of waiting up 
to several minutes for an SSD update procedure to finish, for example, after 
an authentication failure has occurred. The IWF block 16 simply updates its 
records with the new dual-mode terminal ESN after it has succcssfiiUy 
authenticated the subscriber. 
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Claims : 

1 . In a dual-mode communication syst^ having a first network and 
a second network serving at least one dual-mode terminal equipped with a 
Subscriber Information Module (SIM) card, a subscriber validation method 
5 comprising the steps of: 

performing a registration process in the first network using a 
terminal-based Electronic Serial Number (ESN); and 

performing a key-based authentication in the first network based on a 
SIM-based ESN. 

1 0 2, The method of claim 1 . wherein the first network is an analog 

network. 

3. The method of claun 2, wherein the second network is a digital 
network. 

15 4. The method ofclaim 3, wherein the first network is an AMPS 

network and the second network is a GSM network. 

5. The method of claim 1 fiirther including the steps of: 

interfacing the first network with the second network via an 
20 interworkmg function (IWF) havmg an authentication database; and 

performing the key-based authentication based on SIM-based 
ESN information stored in the authentication database. 

.6. The method of claun 5, fiirther including the step of performing 
25 the key-based authentication that includes comparing an IWF-generated 
authentication result with a terminal generated authentication result. 

17 
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7. In an analog communication system having at least one mobile 
terminal equipped with a Subscriber Information Module (SIM) card, a 
validation mediod comprising the steps of: 

transmitting a Mobile Identification Number (JMJN); 
5 transmitting from the mobile terminal a first Electronic Serial 

Number (ESN); and 

transmitting an authentication result, wherein said 
authentication result is derived based on a second ESN. 

8. The method of claim 7, wherein the first ESN is stored in the 
10 mobile terminal and the second ESN and MIN are stored on the SIM card. 

9. A dual-mode communication system, comprising: 

a first network; 
a second network; 

1 5 at least one dual-mode termmal, including a Subscriber 

Information Module (SIM) card, a transmitter for transmitting a termmal- 
based Electronic Serial Number (ESN) for registration in the first network 
using; and transmitting a SIM-based ESN for performing a key-based 
authentication in the first network. 

20 1 0. The system of claun 9, wherein the first network is an analog 

network. 

1 1 • The system of claim 10, wherein the second network is a digital 
network. 
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12. The system of claim 1 1, wherein the first network is an AMPS 
network and the second network is a GSM network. 

13. The system of claim 9 further including an IWF block that 

5 interfaces the first network with the second network, the IWF block having 
an authentication database used for the key-based authentication, 

14. The system of claim 13, wherein the IWF block performs the 
key-based authentication by comparing an IWF-generated authentication 
result with a terminal generated authentication result. 
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